Year of the Owl
Nmap
First up checking SMB shows we have no ability to authenticate with null credentials.
Port 80 root page takes us to index.php which is just a picture of an owl.
From here I ran Nikto and dirsearch.py and was unable to identify any other files or directories. I then ran extensive wordlists and extension suffixes and was still unable to identify anything.
Checking nmap against port 3306 shows we are now allowed to connect from our external host.
From here I tried a quick scan with Nmap against UDP ports top 10.
Looking closely at the results we see a non default port is actually SNMP. Nmap was unable to enumerate version information. We can however, run a onesixtyone
scan against it and see if we get a response.
onesixtyone
has identified the community string 'openview'. We can then run this with snmp-check to dump all available SNMP information.
Looking through the results we find a non default username.
With WinRM open on port 5985 we can then bruteforce the user against the service. For this I used crackmapexec
.
We now have the credentials: Jareth:sarah
From here we can log into WinRM with Evil-WinRM.
Login with the following command:
At this point I got really stuck on how to proceed. Initially had issues runnign Winpeas as well until I used a Obfuscated binary linked below.
Even with this running I was unable to identify any key points for escalation. After going through some manual checklists I came across checking the Recycle bin as something that has not been done yet.
In which we can see sam.bak and system.bak.
To download these files onto the attacking machine we first need to move them out of the Recycle bin and elsewhere onto the system.
We can then download them.
After these had downloaded to my attacking machine I ran samdump2 against the file which gave me incorrect hash values. After some troubleshooting I instead tried Impackets secretsdump.py to instead get the correct hash information.
From here I tried to crack the administrator password and was able to get a match. Instead I logged into WinRM with Evil-WinRM using the NTLM hash.
Last updated